 SaaS-based web application and API penetration testing

The SaaS security testing assessment identifies security risks and vulnerabilities in your
SaaS applications and supporting infrastructure, with the necessary recommendations to
remediate and fix the issues to improve your overall resilience against cyberattacks

 Executive summary where the issues, attack scenarios, and business impact are
explained in a non-technical language
 A detailed description of the vulnerabilities, demonstration of attack scenarios, and
suggestions for fixing the issues
 A remediation prioritization matrix, helping your team to prioritize fixes and decrease risks
to the environment

 AWS cloud penetration test and security review

 Prowler: An open-source tool to scan the AWS cloud infrastructure for potential
vulnerabilities. It also checks for IAM permissions and compliance as per standard
benchmarks.
 CloudSploit: A cybersecurity tool that audits the configuration of services in your AWS
Cloud. It covers areas like the publicly exposed servers, unencrypted data storage, lack
of least-privilege policies, misconfigured backup, restore settings and data exposure, and
privilege escalation.
 CloudJack: It is an open-source assessment tool that checks for Route53/CloudFront/S3
vulnerabilities in your AWS Cloud Services.

List of AWS Controls You can Test for Security

Governance:
 Identify assets & define AWS boundaries
 Identify, review & evaluate risks
 Understand AWS usage/implementation
 Access policies
 Add AWS to risk assessment
 IT security & program policy
 Documentation and Inventory

Network Management:
 Environment Isolation
 Granting & revoking accesses
 Network Security Controls
 Documentation and Inventory
 Physical links
 Malicious code controls
 DDoS layered defense

Encryption Control:
  IPSec Tunnels
 AWS API access
 SSL Key Management
 AWS Console access
 Protect PINs at rest

Logging and Monitoring:

 Review policies for ‘adequacy’
 Aggregate from multiple sources
 Review Identity and Access Management (IAM) credentials report
 Centralized log storage
 Intrusion detection & response

The areas of AWS Cloud where you cannot perform Pen

Testing
 The physical hardware that belongs to AWS
 AWS-controlled servers
 Relational Database Service (RDS) of Amazon
 Other vendors’ EC2
 Security appliances managed by other vendors

Steps you need to take before AWS Pen Testing

 Decide your target systems for the test and define the scope.
 Run preliminary operations on your own.
 Select the type of security test you are going to conduct.
 Prepare an outline of expectations of stakeholders from the penetration test.
 Set a definite timeline for the test procedure.
 Get written approval from all the concerned parties involved with the cloud.

WHAT STEPS SHOULD I TAKE AFTER THE

PENTEST?

Following a pentest, a documented report of findings and remediation

recommendations will be provided to the organization. Findings are based on risk to
the AWS environment; the higher the risk, the more likelihood of an exploit or the
greater the potential impact to the organization. Obviously, you should remediate the
highest risks first. However, it is equally important to have the pentest company
perform a retest verify remediation closure. In specific laws, regulations, and
standards, a retest is required if “Critical” or “High” findings were discovered by the
pentesting company.
Additionally, if any pentest reports are distributed to an auditor, a client of the
organization or another third-party, remediation details should be included. Safe
distribution of these reports must be considered to prevent a malicious attacker from
intercepting the data and gaining knowledge of how to potentially launch an attack
against the organization.